Deyel has several options to connect with the services of each company, which resolve the access mode to the service, based on security requirements. Each of these options is detailed below.
Web Access
Standard access to Deyel Cloud using the https protocol allowing access from any client connected to the Internet.
Access with Own Domain
To access Deyel a web address (url) is used for each environment, in the case of the productive environment this url can be defined with their own domain.
The access must be secure, therefore it is necessary to have an https certificate to perform this configuration.
Such configuration requires tasks from the domain owner and Deyel technical team.
The tasks to be performed by the domain owner are:
•Register their domain and configure its route to Deyel Cloud server.
•Acquire a Single Domain or Wildcard type SSL certificate (TLS1.2) and provide it to Deyel technical team to access by the https protocol.
The tasks to be performed by Deyel technical team are:
•Install the SSL certificate on the load balancer of Deyel Cloud server.
•Deliver the load balancer data to the user so that they can be configured in their domain.
Access to two Applications
Private Cloud
Configuration Private Connections (VPN) to Access Web Services
Deyel Cloud allows to establish "site-to-site" VPN connections to access from Deyel to web services located on customer’s private network servers.
The VPN service includes initial configuration, connectivity testing and technical support.
To use the VPN service, the customer needs a compatible VPN device located at their corporate premises, with an assigned public IP (IPv4) address and with the capabilities to be configured using the IPsec protocol.
Deyel uses the AWS Virtual Private Gateway service to establish IpSec tunnels with its clients and thus enable access to its web services, for example by performing integrations when using a Rest API.
This service establishes a "site-to-site" tunnel between the client and Deyel AWS Virtual Private Gateway service using the Internet Key Exchange version 2 (IKEv2) protocol.
The configuration of this service supports different types of encryption:
AES 256-bit encryption, SHA-2 hashing.
Diffie-Hellman groups:
Phase 1 can now use DH groups 2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24
Phase 1 encryption algorithms AES128, AES256, AES128-GCM-16, AES256-GCM-16
Phase 1 integrity algorithms SHA-1, SHA2-256, SHA2-384, SHA2-512
Phase 1 can now use DH groups 2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24
Phase 2 encryption algorithms AES128, AES256, AES128-GCM-16, AES256-GCM-16
Phase 2 integrity algorithms SHA-1, SHA2-256, SHA2-384, SHA2-512
Customer Data
•Customer Gateway (Public customer IP where to establish the tunnel).
•Local Customer IPv4 Network Cidr (Customer destination IP/Network to connect privately).
•Pre Shared Key to establish encryption.
Deyel Data
•Outside IP Address (Deyel public IP provided by AWS of "tunnel 1-2" from where the tunnel is established)
•Local IPv4 Network Cidr (Private network/IP within the VPC through which the customer receives the connections privately) *Network/IP of the EC2 Nat-VP.
Access Control Based on Enabling IP Addresses
Deyel Cloud offers the possibility of protecting access to its service by restricting access to only a specific IP address list. To perform this implementation, public access can be blocked using custom source IP filters and thus control the access points allowed using the https protocol.
Once the allowed access IP addresses are configured, users attempting to connect to Deyel from outside of these IP addresses receive an error message indicating that they must connect to the site through a VPN connection or from the company's corporate network.
